As a practicing physician, the liability of ensuring the Health Insurance Portability and Accountability Act (HIPAA) compliance—for yourself as well as all of your medical staff— squarely rests on you.
HIPAA violations can make you or your organization culpable to strict measures for faulty practice. At times, violations may also result in sanctions and loss of license to practice medicine. Yet, violations are prevalent, common and more often than not, unintentional.
Failure to comply with HIPAA can not only result in civil and criminal penalties but also other hefty fines at times.
According to the guidelines mentioned in the compliance, if a healthcare organization isn’t aware that its practices led to a HIPAA violation, the minimum civil penalty will be $100 per violation, with an annual maximum of $25,000 for repeat violations.
The maximum civil penalty is $50,000 per violation with an annual maximum of $1.5 million.
To make compliance easier for you and your staff, here’s a list of six most common HIPAA violations and measures for avoiding them.
1. Lack of a Risk Analysis & Management Process
One of the most common HIPAA violations that result in a financial penalty is the failure to carry out an organization-wide risk analysis and assessment.
In 2013, the Oregon Health & Science University had to pay a $2.7 million settlement for the lack of an enterprise-wide risk analysis. In other news, the Alaska Department of Health & Social Services paid a penalty of $1.7 million on account of risk analysis and management failures.
If the risk analysis is not carried out at regular intervals, it gets difficult for organizations to determine whether any vulnerabilities to the integrity, confidentiality, and availability of PHI exist on their part. Risks or potential thefts, therefore, have a higher probability to remain unaddressed, leaving the door wide open to hackers.
Performing a risk analysis is essential, but isn’t a mere checkbox item for meeting HIPAA compliance standards. Risks that are identified through the analysis must then be put through a risk management process.
They should be computed and addressed with the stipulated time frame. Knowing about potential risks and failing to address them also happens to be one of the most common HIPAA violations penalized by the Office for Civil Rights.
As tedious as it sounds, risk analysis and assessment should rather be viewed as an opportunity to look at the organization as a whole and objectively recognize areas for improvement.
Many-a-times, this might imply you will be looking at processes you’ve designed and have worked with for years. It’s crucial to use the risk assessment to identify gaps and strengthen controls, not try to simply “justify” that the existing controls “aren’t going to change” or “are good enough”.
2. Failing to Safeguard ePHI on Personal or Portable Devices
The HIPAA Security Rule necessitates Protected Health Information to be secured at all times. Therefore, electronic devices that accomodate ePHI must also be secured at all times since they are portable and highly valuable.
Opportunistic thieves could effortlessly steal or tamper with an unattended device and gain access to ePHI. There have been numerous cases of healthcare employees pulling out unencrypted devices from healthcare facilities, only for them to be stolen from homes or vehicles later.
Only a few years ago, the Children’s Medical Center of Dallas paid a civil monetary penalty accounting $3.2 million for failing to take action to address known risks, including the failure to use encryption on portable devices.
Theft can also occur within a healthcare setting easily if devices are not protected. Therefore, healthcare employees must make sure that their employer’s policies are strictly adhered to, and HIPAA Rules aren’t breached by leaving devices unguarded.
One of the most successful practices of averting data breaches is encrypting ePHI. Breaches of encrypted PHI aren’t common security incidents unless the data decryption key is also stolen.
Encryption is not obligatory under HIPAA Rules, but it cannot be turned a deaf ear to. If the healthcare organization decides encryption is not to be used, a second, similar security measure must be used in its place.
3. Downloading or Accessing PHI through Unauthorized Devices
The HIPAA Security Rule states that covered entities and their business associates should restrict ePHI access to authorized individuals alone. Failure to execute appropriate ePHI access controls happens to be a common HIPAA breach; one that has attracted quite some financial penalties in recent years.
It can be arduous for healthcare IT departments to keep a tab of every single device that connects to the network. Making certain those devices are secured can be an even greater problem. Yet, since this is a requirement for HIPAA compliance, healthcare providers aren’t left with much of a choice.
Employees need to be conscious of the security and privacy risks associated with downloading ePHI onto portable electronic devices that aren’t authorized.
This doesn’t only accentuate the risk of unintentional disclosure of ePHI – in the event that the device is stolen or gets misplaced– it could also be viewed as a HIPAA violation.
It is, therefore, the responsibility of the healthcare organization to ascertain that access to medical records and patient health information is only granted to authorized individuals that use registered devices.
This can easily be achieved by implementing access controls through logins unique to every individual accessing these.
Authorized individuals also need to understand that passing on login credentials could not only lead to forbidden disclosure of ePHI, any actions taken by that individual would be attributed to the employee whose login credentials were used to gain access in the first place.
4. Prying on Healthcare Records
Retrieving the health records of patients on grounds other than those authorized as per the Privacy Rule – payment, treatment, and healthcare operations – is a clear cut violation of patient privacy.
Prying on healthcare records of friends, family, co-workers, neighbors, and celebrities is another common HIPAA violation. The majority of healthcare employees violate this rule.
University of California Los Angeles Health System was fined $865,000 for failing to restrict access to medical records. The healthcare provider was investigated following the discovery that a physician had accessed the medical records of celebrities and other patients without authorization.
When noticed, this violation generally leads to termination of employment. However, it could result in criminal charges for the said employee too.
Dr. Huping Zhou of the said incident became the first healthcare employee to be jailed for a HIPAA violation and was sentenced to 4 months in federal prison.
Perhaps one of the most important steps an organization can take in ensuring compliance is to educate its workforce. Tell them why safeguarding private information is important and how it can be done only with their collective efforts.
Some important topics to include within the discussion are changing passwords frequently, email encryption, and reporting suspicious privacy thefts.
Organizations should maintain a record of their procedures and policies in written, further ensuring that they are up-to-date. Policies and terms that explain how PHi will be brought to use and disclosed need to be understood by every single employee.
Some healthcare employers are getting creative in their approach to catching “snoopers” by setting up what is called a “honeynut” or “honeypot”.
These are nothing but false medical records that are closely tracked to determine if someone is attempting to access them without authorization.
5. Releasing Information to an Unauthorized Individual
Any revelation of PHI that is not authorized under the HIPAA Privacy Rule can attract a financial penalty.
This violation constitutes: potential disclosures following the loss or theft of unencrypted laptop computers, careless handling of the protected information, disclosing PHI to a patient’s employer, disclosing PHI without any need, not following to the ‘minimum necessary’ standard, and disclosures of PHI after retention periods have expired.
Prior to disclosing any of the patient’s PHI to a third party for a motive other than one expressly permitted by the HIPAA Privacy Rule, an authorization form must be obtained from him/her.
At times, your employees might be disclosing HIPAA sensitive patient information unintentionally. They must, at all times, ensure that authorization has been acquired from the patient and information isn’t disclosed to any company or individual whose name hasn’t been mentioned on the authorization form.
Authorization forms will only be valid if they have been duly signed by the patient or their nominated representative.
6. Improper Disposal of PHI
When retention periods have expired and physical ePHI and PHI aren’t required any longer, HIPAA Rules require the information to be permanently destroyed in a secure manner.
For instance, before PHI paper records are discarded, they should be made indecipherable by burning or shredding them into smaller bits. The surest way to do this is to hire a reputable company.
At your end, you should try to make your employees comply with few procedures such as:
- Remembering at all times that some information may need extra preventive measures such as patient diagnosis reports, social security numbers, and credit or debit card details.
- Coming up with policies that suggest all paper documents be placed in a recycling bin, whether there is protected information on them or not, to avoid any confusion.
- Random inspections to ensure everyone is compliant.
Electronic PHI is less likely to require disposal. However, if it is necessary to dispose of electronic PHI, one can use clearing hardware or software to overwrite sensitive data and thus protect it. Other options may include purging, which requires a strong magnetic field to destroy the data, or destroy the device using methods such as shredding, incinerating, and melting.
Companies that provide secure paper PHI disposal may also often provide safe ePHI disposal.
Effective and regular staff training is vital to avoid HIPAA violations. Train your staff to be careful with PHI, and share it only with those authorized to know. And remember to be vigilant yourself.
It doesn’t matter if violations are the result of substandard human behavior, gossip, insider or outsider hacking, or a mere human error. It is critical for healthcare systems to execute robust data security solutions to help guarantee compliance.